search
Movebot HomeLogin

SharePoint Online via Restricted Application Access

An alternative way to connect to SharePoint Online using site-scoped application permissions instead of granting organization-wide SharePoint access.

hashtag
Overview

Movebot supports connecting to SharePoint Online using a restricted application configuration that limits access to a defined subset of SharePoint sites within the tenant.

This method introduces additional configuration complexity and is not recommended unless site-level access restriction is required.

circle-exclamation

We recommend only administrators familiar with Microsoft Entra, Microsoft Graph API, and application permissions perform this setup. Contact support before proceeding if unsure.

hashtag
When should this be used instead of full access?

If you require:

  • Restricting access to a specific SharePoint site

  • Compliance controls preventing tenant-wide SharePoint access

If you are not subject to the above requirements, follow the standard SharePoint Online guide.

hashtag
Requirements

To configure this connection method, you will need:

  • A Movebot account

  • A Microsoft 365 administrator account

  • Access to Microsoft Entra ID

  • Access to Microsoft Graph Explorer

hashtag
How to Configure Restricted SharePoint Access

  1. Create the Application Registration in Entra

    • Login to Microsoft Entra as an administrator and navigate to App registrations.

    • Click New registration.

    • Specify a name for the new application. Leave the remaining fields as default. Click Register.

    • Make note of the following values:

      • Application (Client) ID – required for Movebot configuration

      • Directory (Tenant) ID – required for Movebot configuration

  2. Configure API Permissions Graph API

    • API Permissions → Add a Permission

    • Select: Microsoft Graph → Application Permissions

    • Enable permission:

    • Click Grant admin consent.

    SharePoint API

    • API Permissions → Add a Permission

    • Select: SharePoint API→ Application Permissions

    • Enable permission:

    • Click Grant admin consent.

  3. Create a Client Secret

    • Navigate to: Certificates & secrets → Client secrets → New client secret

    • Create the secret and copy the Client Secret Value.

    • This will be required in Movebot.

  4. Configure the Connection in Movebot

    • The following information must be entered into the Movebot SharePoint connector:

      • SharePoint Domain

      • Tenant ID

      • Application Client ID

      • Application Client Secret

  5. Upload the certificate from Movebot

    Finally, you will need to generate and download the client certificate from Movebot and upload it to Azure for authentication.

    • Under Step 3: click the button Generate and Download Certificate. You should get a PEM file download from Movebot.

    • In Azure - Click Certificates and Secrets -- > Certificates -- > Upload Certificate

    • Upload the file created in step 1

    • The thumbprint in Azure should match the one shown in Movebot

  6. Grant Site-Level Access Using Microsoft Graph

    • The Sites.Selected permission alone does not grant access. Site-level permissions must be assigned explicitly.

    • Retrieve the Site ID. Open the following URL in your browser and replace the placeholders:

    • Example:

    • Copy the returned Site ID (GUID) value.

  7. Sign in to Graph Explorer

    • Navigate to: https://aka.ms/ge

    • Sign in with a Microsoft account.

    • Grant your user the following delegated permission:

    • (This is required only to assign site permissions.)

  8. Assign Application Access to the Site

    • Run the following request in Graph Explorer: POST https://graph.microsoft.com/v1.0/sites/{site_id}/permissions

    • Replace {site_id} with the Site ID retrieved earlier.

    • Request Body:

    • A successful response returns:

  9. Assign Application Access to Root Site (Required)

    • Run the following request in Graph Explorer: POST https://graph.microsoft.com/v1.0/sites/root/permissions

    • Use the same request body format as above.

    • This ensures the application can resolve the SharePoint structure correctly.

hashtag
Important Notes

hashtag
Connection Test Behaviour

When using restricted site scoping:

  • The Movebot connection test may not validate all sites automatically.

  • Only the specifically granted SharePoint site will be accessible.

  • This is expected behaviour.

hashtag
Permission Propagation Delay

Permission updates may not take effect immediately.

In some environments, it can take up to an hour before site access reflects the new configuration. If testing fails immediately after setup, wait and retry before troubleshooting further.

hashtag
Site Mapping Requirement

When using restricted access:

  • Site transfers must be mapped manually using CSV Transfer Mappingarrow-up-right.

  • Only explicitly granted SharePoint sites are accessible.

  • Access to other sites in the tenant will result in failures.

hashtag
Supported Features

Certain features are unsupported using restricted access.

Feature
Supported

SharePoint Document Libraries

Supported (no automatic creation)

Permissions

Not Supported

Versions

Fully Supported

Modtime Retention

Fully Supported

Last updated